Sneak Analysis
|
|
|
Sneak Analysis |
|
|
|
Sneak Analysis (SA) is a methodology for identifying design errors. It got its rather ridiculous name in the 1960’s from early work on electrical systems by the Boeing company. In the mid-seventies, it began to be applied to process systems though the name ‘Sneak Analysis’ was not then used and the methodology tended to be used mainly in the USA. However, by 1979 it was beginning to be recognised, at least in parts of Europe, as a means of process hazard identification. In the early nineties, several workers (Taylor, Taylor, Whetton) began to apply the methodology seriously to process systems, a short book was published, and several important points were established:
Throughout the last ten years there has been continuous progress (Armstrong, Whetton, Whetton) in the application of Sneak Analysis to process systems – especially in applications to batch plant – and the methodology is now well recognised.
A Sneak is a design condition (possibly in conjunction with a single-point failure) which gives rise to an unintended event or which inhibits an intended event.
In this context, an event can be:
The concept can be illustrated by the following six examples.
A sneak flow is the unintended transfer of material, energy, information, etc. which occurs along an unintended path, either as a result of a combination of intended actions or as a result of a single failure. The figure, right, shows a simple example of a process sneak flow. If both drain valves are opened together, it is very probable that there will be a sneak flow from vessel B (which contains nitrogen tetroxide) to vessel A (which contains naphtha).
A sneak flow contributed to the Three Mile Island (TMI) incident which began when operators tried to clear a blocked vessel by making a temporary connection from the instrument air supply to the vessel. Unfortunately, the pressure in the vessel rose above that of the air, reverse flow occurred, and the instrument air system filled with water – with disastrous consequences. A similar incident is recounted by Kletz, in which the drinking water supply was used to prime a pump. With the result that, in Kletz’ words: "The tea tasted funny." In general, sneak flows arise from:
Further examples are given in the sneak clue database, Holmes. ility Engineering has developed a logical procedure for analysing sneak flows and details are available in our training courses.
A sneak indication is a false or ambiguous indication of system conditions.
The figure, left, shows a common example of a sneak indication. The temperature transmitter is supposed to indicate liquid temperature – yet it is not in contact with the liquid. Whatever it is indicating, it will be a different temperature from the liquid. This is a very common problem and has led to some serious accidents.
Sneak Indications have been responsible for or contributing factors to several notable incidents, in aviation and the process industries, including:
These are briefly examined in the following paragraphs. Further examples are given in the sneak clue database, Holmes.
In 1974, a Turkish Airlines (TAL) DC-10 crashed at Ermenonville, France, shortly after takeoff from Paris, Orly. There were no survivors. Because it was not closed properly, the aft cargo door blew open. Air pressure then caused the rear floor of the passenger compartment to collapse, severing the main control linkages to the tail and sending the aircraft out of control. The incident was the subject of a well written book by Eddy and the Sunday Times "Insight" team.
A grossly simplified schematic of the door latching arrangement is shown in the figure right. As originally conceived, the DC-10 cargo doors hinged outward and upward. When closed, a series of dogs on a rotating shaft at the bottom of the door engaged with a corresponding set of hooks and pulled the door tight against the rubber pressure seal. Originally, the status of the door latch was shown by a metal plate attached to the transfer rod and located behind a sight-glass in the door; when closed, the plate showed green; when open, it showed red. Unfortunately, this was difficult for the operator to see, especially in the dark, and was made even more difficult by the operating lever being at the top of the door and the sight glass at the bottom. Also, it required considerable force to operate the lever against the resistance offered by the rubber seals. Inevitably, an aircraft took off without the cargo door being properly closed. There was a near miss. At about 8,000 feet, the door flew open, the cargo – including an occupied coffin – fell out, part of the cabin floor collapsed, and two out of the three control paths to the tail surfaces were lost. Fortunately, the aircraft was able to land safely.
None of the obvious lessons were learned from this incident. Instead, it was decided to replace the door latch indicator with an electrical system. However, there was no room to retrofit a switch down at the level of the shaft carrying the latch dogs. Instead, it was placed where it could be operated by an extension of the door closure lever, as shown in the figure.
In the TAL incident, the baggage handler closed the lever to lock the door. In later testimony, he said that it took an unusual amount of force to close but eventually the green light came on. What in fact had happened was that the dogs were not able to engage because the door was not closed far enough to begin with. In applying extra force, the baggage handler had bent the transfer rod, allowing the door handle extension to close the switch and turn on the green light. The door flew open at an altitude of about 2,500m and the disaster followed.
The following points are worth noting:
One of the contributory factors to the 1979 incident at the Three Mile Island (TMI) nuclear reactor was a sneak flow, as described above; another factor was a sneak indication.
The TMI sneak indication is shown in the figure, right; it is almost an exact logical copy of the sneak indication in the Ermenonville disaster, described above. Unfortunately, nuclear, process and aircraft engineers rarely read about each others’ mistakes. Still less do they learn from them.
In the figure, the two relief valves were operated from the control panel and a panel indicator was supposed to display the valve status. Actually, the lamp indicated the switch status and bore no relation whatsoever to the state of the valves. During the TMI incident, the lamp indicated that the PORV’s were closed when in fact they were open – leading to a loss of reactor coolant.
The 1992 accident at Hickson and Welch was also caused in part by a sneak indication.
In the Hickson and Welch incident, shown in simplified form in the figure, right, operators were attempting to clean a deposit from the bottom of a vessel. They heated the deposit with steam (which was labelled by pressure, not by temperature) and used a thermometer to monitor the temperature of the deposit. The thermometer was not in contact with the deposit which reached its auto-ignition temperature and exploded, shooting a jet of flame several tens of feet into a temporary control room and killing the occupants.
A sneak label is an ambiguous or misleading label, an example of which is shown in the figure, right.
The author once saw four transformers in the switchyard of a plant; each transformer was about two metres high; none of the labels was larger than 10 cm square and they were all in different locations (they were actually attached to a chain-link fence in front of the transformers). All the letters were in blue except III which was in yellow – which probably did not show well under sodium lights, at night. Quick! Go and pull the manual isolator on transformer number three.
With the increasing use of windowing in plant control displays, the question of sneak labels is becoming more important. Some general rules for information displays, derived from an analysis of sneak labels, are:
Further examples are given in the sneak clue database, Holmes.
Sneak energy is the presence of unintended energy at some point in the system or the presence of energy at an unintended place.
Sneak energy is surprisingly common: especially the case shown in the figure, right. Here, two liquids have been poured into a reactor without the agitator running – an all too common mistake. The liquids are of widely differing densities and react violently when mixed. Just after the last drop of liquid A was added someone realised that they had forgotten to turn on the agitator. They turned it on.
Apart from the near universal problem of failure to agitate – referred to above – sneak energy is most commonly encountered as trapped pressure, especially during maintenance. Other examples include products of reaction and static electricity. Further examples are given in the sneak clue database, Holmes.
Examples of pressure trapped in pipelines and vessels and leakage via non-return valves are widespread in the literature (Kletz, Lees, Whetton) and have long been recognised. A serious problem, which regularly causes deaths and injuries, is pressure trapped within a system which is accidentally released during maintenance. It is most unfortunate that the process maintenance engineer has no equivalent of the electrician’s voltmeter with which to test a pipe or vessel for pressure before beginning to open it. It does, however suggest, that any pipe, vessel, or other structure that can be subject to pressure and that is liable to disassembly for maintenance should be fitted with a test-port and valve to which a gauge can be attached to confirm that no significant pressure is present. Such a system has been a significant safety feature on submarine torpedo-tubes for the last seventy years.
One common example of Sneak Energy is the storage tank which has been taken out of service and sealed. Corrosion takes place within the tank and atmospheric oxygen is absorbed, leading to a partial vacuum (the sneak energy) which causes the tank to collapse. Another example of sneak energy is the opposite case, where gasses are evolved leading to rupture of the tank. Such cases are well documented in Kletz; in another work, thirty-five examples of sneak energy were identified out of 153 sneak-related incidents.
Static electricity occurs whenever electrons are added to or removed from a substance. Chemical engineers may be surprised to learn that you can strip electrons from the outer shells of atoms simply by rubbing them but this is indeed what happens when static electricity is generated by friction. Most plastics and liquid hydrocarbons are electrical insulators and can easily achieve high static charges by flowing over other insulators, as the following example shows. A university laboratory built a new store room to comply with the latest regulations for storing and dispensing flammable liquids, as shown schematically in the figure, above. Each liquid was stored inside a steel cupboard, which was electrically grounded, purged, and fitted with temperature and vapour sensors. The steel cupboards were themselves in a basement room, with fire-resistant walls, extractor fans, and a full fire suppression system.
One day, an experienced postgraduate student came to fill two plastic bottles with solvent. He filled the first bottle and in doing so, a few drops of solvent ran down the side of the bottle and also onto his fingers. The bottle was quite large, and as it filled became heavier and heavier so that by the time it was full he was holding it several inches below the spout. When the bottle was full, but not yet capped, he placed it on the floor, next to the steel cabinet, before reaching into the pockets of his laboratory coat for the cap. As he put the bottle down, his fingers brushed against the cabinet, he felt an electric shock, and the bottle burst into flames. He received severe burns to the right side of his body.
The subsequent investigation showed that static electricity was almost certainly the culprit, possibly made worse by the hot, dry climate. The system was modified such that:
A sneak procedure is the occurrence of events in an unintended or conflicting sequence, at an unintended time, or for an unintended duration. Ambiguous procedures are very common; those that are recognised as such are sometimes replaced by unofficial and unrecorded procedures. Similarly, awkward or lengthy procedures may be bypassed or replaced by unofficial ‘custom and practice’. All are examples of sneak procedures.
A batch procedure required a liquid to be boiled until it had reduced to half its original volume. The normal volume was 1000 l and the procedure read: "Boil until the volume reaches 500 ±20 l". One day, a batch of only 700 l was processed…
Another classic instance, which also reveals the difficulty which can occur in trying to distinguish between sneak labels and sneak procedures, is the Camelford incident where material was delivered to the wrong tank because one key fitted the locks to each.
Sneak procedures often arise through the absence of an official procedure, in which cases the operators invent something, or in the transfer of information from one party to another, such as at shift changes. The figure, right, shows one (greatly simplified) example of this type of problem, taken from Kletz. A plant that was being cleaned and re-validated after some modifications had been made. Reactor R3 was charged with toluene, using the pump, manifold, and flexible hose. After refluxing, half of the batch was transferred each to R1 and R2, where reflux again took place. Next, R3 was charged with isopropanol and the sequence was repeated. Finally, all three vessels were drained and washed with water.
At the end of operations, the foreman noticed a film of dust inside R1. He recorded this in the log book, together with a note to the shift manager to: "Agitate R1 with 150 l HNO3 solution for 4h at 80ºC". The foreman assumed that "the usual method", which had been practised for many years, would be used; this was to fill the vessel with about 3.5 m3 of water and then pump in 150 l of 53% nitric acid. Unfortunately, the shift manager was unaware of "the usual method". He began to charge R1 with 150 l of concentrated nitric acid, using the pump and flexible hose. After about 120 l of acid had been charged, gas began to evolve rapidly in R1, the relief valve lifted and the shift manager ran. The vessel ruptured but he received no injuries.
As an example of Sneak Procedure, it shows the danger of assuming that every one knows "the usual method". The usual method was not written down but was simply a matter of 'custom and practice'. The example also demonstrates a case of Sneak Reaction. The pump, which had last been used to transfer isopropanol to R3, had not been completely drained and still contained about 5 l of isopropanol which was pumped into R3 along with the concentrated nitric acid. There, it formed unstable isopropyl nitrate which decomposed explosively.
As with Sneak Indications, Sneak Procedures also crop up in fiction. The story Sulphur, in the late Primo Levi's collection The Periodic Table can be read as a tale of Sneak Procedure, Indication, and Reaction. Although clearly set in the 1950's, only the fact that the hero, Lanza, smokes as he tends the batch distinguishes it from modern practice.
ility Engineering has developed a logical procedure for analysing sneak procedures and details are available in our training courses.
A sneak reaction is an unintended reaction or the unintended catalysis of a reaction – like the day an inquisitive rat fell into the open-topped peroxide storage tank. Sneak Reactions typically arise from:
Gaseous chlorine was being added to a solution of aromatic monomer in carbon tetrachloride at 50ºC. When about 10% of chlorine had been added, a violent reaction occurred, lifting the top of the vessel, buckling the pipework, and spraying solution over the two operators. It was subsequently established that ferric chloride had entered the reactor from the stainless steel chlorine lines and that ferric chloride catalyses a violent reaction between chlorine and aromatic monomers.
The following briefly describes a procedure for performing Sneak Analysis on a plant. More detailed procedures are given in the literature. Sneak Analysis is usually done in conjunction with HAZOP but the SA portion of the procedure can be summarised as:
Sneak flows are to be avoided because they can bring together incompatible materials – with disastrous consequences. The first step is to determine what materials can come together and what their potential consequences are. This can be done with the aid of a substance matrix.
The substance matrix is a square matrix of all substances, including intermediates, that occur during the process, together with the standard substances and pseudo-substances listed in the following table.
|
The Environment |
Instrument air |
Process water |
|
Sewers |
Purge air |
Fire water |
|
Purge nitrogen |
Breathing air |
|
|
Purge steam |
Cooling water |
|
|
Process steam |
Drinking water |
Other substances may be added at the discretion of the analyst. The idea behind the substance matrix is to determine what will happen if {things in the rows} come into contact with {things in the columns}. It is assumed that substances do not react with themselves, so the intersection of each row with its corresponding column is marked with an 'X'.
However, if it is known to be dangerous, or extremely undesirable, for certain pairs of substances to come into contact these are indicated by a 'D' (for dangerous). The property of being dangerous is not always reciprocal. For example, while it is dangerous for Sewers to flow into Drinking Water, it is not dangerous (though certainly wasteful) for Drinking Water to flow into the Sewers. Once constructed, the substance matrix directs the analysis because it defines:
Red Definitely dangerous
Orange Unknown
Yellow Undesirable, but not a major problem
Green Definitely not a problem
Sneak clues are statements about equipment, processes, and equipment configurations that prompt the analyst to look for certain hazards. So far, several hundred Sneak Clues have been identified. The process of identifying relevant clues is simplified by co-ordinating them with equipment types and HAZOP keywords. A typical Sneak Clue might read:
Pumps, Centrifugal: note that priming lines are a potential sneak path. Priming lines are not always shown on P&I diagrams and are often temporary connections.
Space and time do not permit a more detailed discussion of this topic but further details can be found in the references.
Confidential communication from the victim to the author, May, 1995.
Armstrong, W. Sneak Analysis Applied to Batch Plants. Unpublished dissertation for the degree of MSc in Process Safety and Loss Prevention. University of Sheffield, 1992.
Eddy, Paul, E. Potter, and B. Page. 1976 Destination Disaster. London, Hart-Davis
Hill, E.J. and Bose, L.J. Sneak Circuit Analysis of Military Systems. Proc. 2nd International Systems Safety Conference. 1975. pp351-372
Kletz, T.A. 1988 What went wrong? Houston, Gulf Publishing. ISBN 0-87201-919-5
Lees, Frank, P. 1980 Loss prevention in the process industries. Butterworth, London, 1980. ISBN 0-408-10604-2
Lees, F. Loss Prevention in the Process Industries. Second Edition. Butterworth.
Levy, P. The Periodic Table. 1986, Penguin.
Milne, R. One wrong delivery, and a whole town is poisoned. New Scientist, 21 January, 1989, p.60
Rivas, J. Roberto, D.F.Rudd, and L.R.Kelly Synthesis of Failure-Safe Operations. AIChE. J. 20, p311. 1974.
Rivas, J. Roberto, and D.F.Rudd Computer-Aided Safety Interlock Systems. AIChE. J. 20, p320. 1974.
Taylor, J.R. A Background to Risk Analysis. Vol. 4, Risø National Laboratories, Denmark, 1979.
Taylor, J.R. Sneak Analysis Course Notes. ITSA 90-11-1, ESA/ESTEC, Noordwijk, The Netherlands, 1991
Taylor, J.R. The sneak path analysis procedure. (10pp) In Proceedings of The Sneak Analysis Workshop, ESA-WPP033 (European Space Agency, ESTEC, Noordwijk, The Netherlands.)
Whetton, C. Thermohydraulic sneaks. In Proceedings of The Sneak Analysis Workshop, ESA-WPP033 (European Space Agency, ESTEC, Noordwijk, The Netherlands.)
Whetton, C. Sneak Analysis Applied to Process Systems. VTT Publications, Espoo, Finland, 1992
Whetton, C. 1993. Sneak analysis of process systems. Trans IChemE, Vol 71, Part B, August 1993, pp 169-179
Whetton, C. and W. Armstrong. 1994. Sneak analysis of batch processes. Journal of Hazardous Materials. 38 (1994) pp 257-275